Listen to this Post
The vulnerability exists within the Headless API component of Liferay Portal. The system fails to enforce a maximum limit on the number of data objects returned in a single API response. An attacker can exploit this by crafting a malicious request to an endpoint that queries a large dataset, such as `/o/headless-admin-user/v1.0/roles` or /o/headless-delivery/v1.0/sites. Without pagination controls or result caps, the server attempts to process and serialize an excessively large result set into a single JSON response. This consumes disproportionate amounts of server memory, database connections, and CPU cycles, leading to resource exhaustion. Consequently, the application becomes unresponsive, creating a denial-of-service condition that prevents legitimate users from accessing the portal services.
Platform: Liferay Portal/DXP
Version: 7.4.0-7.4.3.99
Vulnerability: Unbounded Resource Consumption
Severity: High
date: 2025-10-27
Prediction: Patch 2025-11-10
What Undercode Say:
curl -X GET "http://<target>/o/headless-admin-user/v1.0/roles?page=1&pageSize=1000000"
// Example of a vulnerable Headless REST Builder query
public Page<Role> getRoles() {
return RoleLocalServiceUtil.getRoles(QueryUtil.ALL_POS, QueryUtil.ALL_POS);
}
How Exploit:
Craft HTTP GET requests to high-cardinality Headless API endpoints without pagination parameters to trigger massive database queries and memory allocation.
Protection from this CVE:
Apply vendor patch. Implement strict pagination limits. Configure API gateways for request filtering and result size limiting. Use WAF rules to block requests with abnormally high `pageSize` parameters.
Impact:
Application-wide Denial of Service, resource exhaustion, and service unavailability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
